What is the point of VirtualProtect when any process, including malware, can use it?

Timothy Hanes picture Timothy Hanes · May 4, 2015 · Viewed 11.5k times · Source

I understand that the VirtualProtect function changes the permissions on a page in memory without question. Surely this ends up with no immediate purpose when any running process is able to use it?

For example, someone could easily write a piece of malware which uses the VirtualProtectEx function in order to detour instructions and cause havoc. On the other hand, a user may have a legitimate reason for allowing a process to modify memory (ie. game cheats).

Answer

Sebastian Redl picture Sebastian Redl · May 4, 2015

Someone could easily write that piece of malware, but how would they get the target to execute it?

VirtualProtect allows me to make memory executable selectively. This means that I can mark the buffer where I store untrusted data as non-executable, and the security vulnerability that I have that allows the untrusted user to modify the return address of my function cannot jump to that buffer and execute code there, thus stopping an attacker from executing VirtualProtect himself.

It also allows me to make memory read-only. This means I can mark the area next to the untrusted buffer read-only, and a buffer overflow cannot overwrite more essential data. Thus, no remote code in my application, no VirtualProtect by the attacker.

Once the attacker somehow gains access to the system, he can use VirtualProtect to remove protections of processes at the same security level, but at this point you have already lost anyway.